From ad7224a332b09a72798ecd7976a6b07d0803b650 Mon Sep 17 00:00:00 2001 From: lilong Date: Fri, 25 Oct 2024 10:40:24 +0800 Subject: [PATCH] =?UTF-8?q?feat:=20(feature/REQ-2595)=20=E4=BF=AE=E6=94=B9?= =?UTF-8?q?=E9=A1=B9=E7=9B=AE=E4=B8=8B=E6=9C=89=E6=9D=83=E9=99=90=E7=9A=84?= =?UTF-8?q?=E4=BA=BA=E6=94=AF=E6=8C=81=E6=9D=83=E9=99=90=E6=A0=87=E7=AD=BE?= =?UTF-8?q?=E8=BF=87=E6=BB=A4?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- .../axzo/tyr/client/feign/TyrSaasAuthApi.java | 1 + .../tyr/client/model/req/IdentityAuthReq.java | 18 - .../req/ListIdentityFromPermissionReq.java | 3 + .../req/ListPermissionFromRoleGroupReq.java | 2 + .../tyr/client/model/req/OUWorkspacePair.java | 4 + .../req/WorkspacePermissionIdentityReq.java | 4 + .../res/ListPermissionFromRoleGroupResp.java | 7 + .../axzo/tyr/server/model/FilterRoleAuth.java | 5 + .../server/service/TyrSaasAuthService.java | 6 - .../service/impl/TyrSaasAuthServiceImpl.java | 542 +++++------------- 10 files changed, 154 insertions(+), 438 deletions(-) diff --git a/tyr-api/src/main/java/cn/axzo/tyr/client/feign/TyrSaasAuthApi.java b/tyr-api/src/main/java/cn/axzo/tyr/client/feign/TyrSaasAuthApi.java index aad7b6f8..14e6e2b5 100644 --- a/tyr-api/src/main/java/cn/axzo/tyr/client/feign/TyrSaasAuthApi.java +++ b/tyr-api/src/main/java/cn/axzo/tyr/client/feign/TyrSaasAuthApi.java @@ -101,6 +101,7 @@ public interface TyrSaasAuthApi { /** * * 通过资源ID、资源类型、角色分类 查询权限 + * 该分类下不能有管理员角色,原始代码没有实现管理员角色的权限 * @param listPermissionFromRoleGroupReq * @return */ diff --git a/tyr-api/src/main/java/cn/axzo/tyr/client/model/req/IdentityAuthReq.java b/tyr-api/src/main/java/cn/axzo/tyr/client/model/req/IdentityAuthReq.java index 650d2e38..d45cd102 100644 --- a/tyr-api/src/main/java/cn/axzo/tyr/client/model/req/IdentityAuthReq.java +++ b/tyr-api/src/main/java/cn/axzo/tyr/client/model/req/IdentityAuthReq.java @@ -3,7 +3,6 @@ package cn.axzo.tyr.client.model.req; import cn.axzo.framework.auth.domain.TerminalInfo; import cn.axzo.tyr.client.model.enums.IdentityType; import cn.axzo.tyr.client.model.enums.RolePermissionTagEnum; -import cn.axzo.tyr.client.model.res.IdentityAuthRes; import cn.hutool.core.collection.CollectionUtil; import lombok.AllArgsConstructor; import lombok.Builder; @@ -81,23 +80,6 @@ public class IdentityAuthReq { */ private Integer versionMax; - public IdentityAuthRes toEmpty() { - IdentityAuthRes result = new IdentityAuthRes(); - result.setIdentity(this.getIdentityId()); - result.setIdentityType(this.getIdentityType()); - result.setPersonId(this.getPersonId()); - - List permissions = this.getWorkspaceOusPairs().stream() - .map(workspaceOuPair -> IdentityAuthRes.WorkspacePermission.builder() - .workspaceId(workspaceOuPair.getWorkspaceId()) - .ouId(workspaceOuPair.getOuId()) - .build()) - .collect(Collectors.toList()); - result.setPermissions(permissions); - - return result; - } - public void distinctOUWorkspacePair() { if (CollectionUtil.isEmpty(this.workspaceOusPairs)) { return; diff --git a/tyr-api/src/main/java/cn/axzo/tyr/client/model/req/ListIdentityFromPermissionReq.java b/tyr-api/src/main/java/cn/axzo/tyr/client/model/req/ListIdentityFromPermissionReq.java index b68981af..ec61a422 100644 --- a/tyr-api/src/main/java/cn/axzo/tyr/client/model/req/ListIdentityFromPermissionReq.java +++ b/tyr-api/src/main/java/cn/axzo/tyr/client/model/req/ListIdentityFromPermissionReq.java @@ -1,5 +1,6 @@ package cn.axzo.tyr.client.model.req; +import cn.axzo.tyr.client.model.enums.RolePermissionTagEnum; import lombok.AllArgsConstructor; import lombok.Builder; import lombok.Data; @@ -7,6 +8,7 @@ import lombok.NoArgsConstructor; import javax.validation.constraints.NotNull; import java.util.List; +import java.util.Set; /** @@ -40,4 +42,5 @@ public class ListIdentityFromPermissionReq { */ private String terminal; + private Set tags; } diff --git a/tyr-api/src/main/java/cn/axzo/tyr/client/model/req/ListPermissionFromRoleGroupReq.java b/tyr-api/src/main/java/cn/axzo/tyr/client/model/req/ListPermissionFromRoleGroupReq.java index f6245c80..c0076037 100644 --- a/tyr-api/src/main/java/cn/axzo/tyr/client/model/req/ListPermissionFromRoleGroupReq.java +++ b/tyr-api/src/main/java/cn/axzo/tyr/client/model/req/ListPermissionFromRoleGroupReq.java @@ -2,6 +2,7 @@ package cn.axzo.tyr.client.model.req; import cn.axzo.tyr.client.common.enums.SaasPositionEnum; import cn.axzo.tyr.client.model.enums.IdentityType; +import cn.axzo.tyr.client.model.enums.RolePermissionTagEnum; import lombok.AllArgsConstructor; import lombok.Builder; import lombok.Data; @@ -9,6 +10,7 @@ import lombok.NoArgsConstructor; import javax.validation.constraints.NotNull; import java.util.List; +import java.util.Set; /** * 通过角色分组及分类查询人员的权限 diff --git a/tyr-api/src/main/java/cn/axzo/tyr/client/model/req/OUWorkspacePair.java b/tyr-api/src/main/java/cn/axzo/tyr/client/model/req/OUWorkspacePair.java index 64600db5..d11b1be7 100644 --- a/tyr-api/src/main/java/cn/axzo/tyr/client/model/req/OUWorkspacePair.java +++ b/tyr-api/src/main/java/cn/axzo/tyr/client/model/req/OUWorkspacePair.java @@ -1,8 +1,10 @@ package cn.axzo.tyr.client.model.req; +import cn.axzo.tyr.client.model.enums.RolePermissionTagEnum; import lombok.Data; import javax.validation.constraints.NotNull; +import java.util.Set; /** * OU和workspace对 @@ -28,4 +30,6 @@ public class OUWorkspacePair { /** 参建类型 - 直接依赖角色标签 不需要传了 **/ @Deprecated private Integer workspaceJoinType; + + private Set tags; } diff --git a/tyr-api/src/main/java/cn/axzo/tyr/client/model/req/WorkspacePermissionIdentityReq.java b/tyr-api/src/main/java/cn/axzo/tyr/client/model/req/WorkspacePermissionIdentityReq.java index 87c93534..f88bd05c 100644 --- a/tyr-api/src/main/java/cn/axzo/tyr/client/model/req/WorkspacePermissionIdentityReq.java +++ b/tyr-api/src/main/java/cn/axzo/tyr/client/model/req/WorkspacePermissionIdentityReq.java @@ -1,9 +1,11 @@ package cn.axzo.tyr.client.model.req; +import cn.axzo.tyr.client.model.enums.RolePermissionTagEnum; import lombok.Data; import javax.validation.constraints.NotNull; import java.util.List; +import java.util.Set; /** * @version V1.0 @@ -20,4 +22,6 @@ public class WorkspacePermissionIdentityReq { /** 权限点CODE **/ @NotNull private List featureCodes; + + private Set tags; } diff --git a/tyr-api/src/main/java/cn/axzo/tyr/client/model/res/ListPermissionFromRoleGroupResp.java b/tyr-api/src/main/java/cn/axzo/tyr/client/model/res/ListPermissionFromRoleGroupResp.java index d2547c25..50db400c 100644 --- a/tyr-api/src/main/java/cn/axzo/tyr/client/model/res/ListPermissionFromRoleGroupResp.java +++ b/tyr-api/src/main/java/cn/axzo/tyr/client/model/res/ListPermissionFromRoleGroupResp.java @@ -1,6 +1,7 @@ package cn.axzo.tyr.client.model.res; import cn.axzo.tyr.client.model.enums.IdentityType; +import cn.axzo.tyr.client.model.enums.RolePermissionTagEnum; import lombok.AllArgsConstructor; import lombok.Builder; import lombok.Data; @@ -88,6 +89,12 @@ public class ListPermissionFromRoleGroupResp { private Long featureId; /** 0:saas_feature,1:saas_feature_resource **/ private Integer relationType; + + private Set tags; + } + + public String buildOuWorkspaceKey() { + return this.getOuId() + "_" + this.getWorkspaceId(); } } diff --git a/tyr-server/src/main/java/cn/axzo/tyr/server/model/FilterRoleAuth.java b/tyr-server/src/main/java/cn/axzo/tyr/server/model/FilterRoleAuth.java index 9a6a146b..fffb5cbd 100644 --- a/tyr-server/src/main/java/cn/axzo/tyr/server/model/FilterRoleAuth.java +++ b/tyr-server/src/main/java/cn/axzo/tyr/server/model/FilterRoleAuth.java @@ -1,5 +1,6 @@ package cn.axzo.tyr.server.model; +import cn.axzo.tyr.client.model.enums.RolePermissionTagEnum; import cn.axzo.tyr.server.service.impl.TyrSaasAuthServiceImpl; import lombok.AllArgsConstructor; import lombok.Builder; @@ -7,6 +8,7 @@ import lombok.Data; import lombok.NoArgsConstructor; import java.util.List; +import java.util.Set; /** * 通过工作台过滤角色的权限 @@ -24,4 +26,7 @@ public class FilterRoleAuth { private Long workspaceId; + private Long ouId; + + private Set tags; } diff --git a/tyr-server/src/main/java/cn/axzo/tyr/server/service/TyrSaasAuthService.java b/tyr-server/src/main/java/cn/axzo/tyr/server/service/TyrSaasAuthService.java index 647fe20e..ad487d34 100644 --- a/tyr-server/src/main/java/cn/axzo/tyr/server/service/TyrSaasAuthService.java +++ b/tyr-server/src/main/java/cn/axzo/tyr/server/service/TyrSaasAuthService.java @@ -49,10 +49,4 @@ public interface TyrSaasAuthService { * @return */ List listAuthByResourceAndRoleGroup(ListPermissionFromRoleGroupReq listPermissionFromRoleGroupReq); - - /** - * 增加统一的开关:权限是否从数据库查询 - * @return - */ - boolean permissionFromDB(); } diff --git a/tyr-server/src/main/java/cn/axzo/tyr/server/service/impl/TyrSaasAuthServiceImpl.java b/tyr-server/src/main/java/cn/axzo/tyr/server/service/impl/TyrSaasAuthServiceImpl.java index e3bc0eda..08d7b461 100644 --- a/tyr-server/src/main/java/cn/axzo/tyr/server/service/impl/TyrSaasAuthServiceImpl.java +++ b/tyr-server/src/main/java/cn/axzo/tyr/server/service/impl/TyrSaasAuthServiceImpl.java @@ -12,7 +12,6 @@ import cn.axzo.tyr.client.model.enums.DelegatedType; import cn.axzo.tyr.client.model.enums.IdentityType; import cn.axzo.tyr.client.model.enums.RolePermissionTagEnum; import cn.axzo.tyr.client.model.req.CheckIdentityPermissionReq; -import cn.axzo.tyr.client.model.req.FeatureIdPair; import cn.axzo.tyr.client.model.req.IdentityAuthReq; import cn.axzo.tyr.client.model.req.ListIdentityFromPermissionReq; import cn.axzo.tyr.client.model.req.ListPermissionFromFeatureReq; @@ -21,9 +20,7 @@ import cn.axzo.tyr.client.model.req.ListPermissionFromRoleGroupReq; import cn.axzo.tyr.client.model.req.ListRoleReq; import cn.axzo.tyr.client.model.req.OUWorkspacePair; import cn.axzo.tyr.client.model.req.PageElementFeatureResourceRelationReq; -import cn.axzo.tyr.client.model.req.PagePgroupPermissionRelationReq; import cn.axzo.tyr.client.model.req.PageSaasFeatureResourceReq; -import cn.axzo.tyr.client.model.req.QueryPermissionByIdsReq; import cn.axzo.tyr.client.model.req.WorkspacePermissionIdentityReq; import cn.axzo.tyr.client.model.res.IdentityAuthRes; import cn.axzo.tyr.client.model.res.ListIdentityFromPermissionResp; @@ -31,23 +28,16 @@ import cn.axzo.tyr.client.model.res.ListPermissionFromRoleGroupResp; import cn.axzo.tyr.client.model.res.QueryIdentityByPermissionResp; import cn.axzo.tyr.client.model.res.SaasFeatureResourceResp; import cn.axzo.tyr.client.model.res.SaasRoleRes; -import cn.axzo.tyr.client.model.res.SimplePermissionPointResp; import cn.axzo.tyr.client.model.roleuser.dto.SaasRoleUserV2DTO; import cn.axzo.tyr.client.model.roleuser.req.ListRoleUserRelationParam; import cn.axzo.tyr.server.model.FilterRoleAuth; -import cn.axzo.tyr.server.repository.dao.SaasPgroupRoleRelationDao; import cn.axzo.tyr.server.repository.entity.ProductFeatureInfo; import cn.axzo.tyr.server.repository.entity.ProductFeatureQuery; import cn.axzo.tyr.server.repository.entity.RolePermission; import cn.axzo.tyr.server.repository.entity.SaasFeature; import cn.axzo.tyr.server.repository.entity.SaasFeatureResource; import cn.axzo.tyr.server.repository.entity.SaasPageElementFeatureResourceRelation; -import cn.axzo.tyr.server.repository.entity.SaasPgroupPermissionRelation; -import cn.axzo.tyr.server.repository.entity.SaasPgroupRoleRelation; -import cn.axzo.tyr.server.repository.entity.SaasProductModuleFeatureRelation; -import cn.axzo.tyr.server.repository.entity.SaasRole; import cn.axzo.tyr.server.repository.entity.SaasRoleGroup; -import cn.axzo.tyr.server.repository.entity.SaasRoleUserRelation; import cn.axzo.tyr.server.repository.entity.SaasRoleWithUser; import cn.axzo.tyr.server.repository.mapper.SaasRoleUserRelationMapper; import cn.axzo.tyr.server.repository.mapper.TyrSaasAuthMapper; @@ -57,7 +47,6 @@ import cn.axzo.tyr.server.service.RolePermissionCacheService; import cn.axzo.tyr.server.service.RoleService; import cn.axzo.tyr.server.service.SaasFeatureResourceService; import cn.axzo.tyr.server.service.SaasPageElementFeatureResourceRelationService; -import cn.axzo.tyr.server.service.SaasPgroupPermissionRelationService; import cn.axzo.tyr.server.service.SaasRoleGroupService; import cn.axzo.tyr.server.service.SaasRoleUserRelationService; import cn.axzo.tyr.server.service.TyrSaasAuthService; @@ -68,7 +57,6 @@ import cn.azxo.framework.common.model.CommonResponse; import cn.azxo.framework.common.utils.LogUtil; import cn.hutool.core.collection.CollectionUtil; import cn.hutool.core.date.StopWatch; -import cn.hutool.core.util.BooleanUtil; import cn.hutool.core.util.NumberUtil; import cn.hutool.core.util.StrUtil; import com.google.common.collect.Lists; @@ -84,7 +72,6 @@ import org.apache.commons.lang3.StringUtils; import org.springframework.beans.BeanUtils; import org.springframework.beans.factory.annotation.Autowired; import org.springframework.beans.factory.annotation.Qualifier; -import org.springframework.beans.factory.annotation.Value; import org.springframework.cloud.context.config.annotation.RefreshScope; import org.springframework.stereotype.Service; import org.springframework.util.CollectionUtils; @@ -123,7 +110,6 @@ public class TyrSaasAuthServiceImpl implements TyrSaasAuthService { private final TyrSaasAuthMapper saasAuthMapper; private final RoleService roleService; - private final RoleUserService roleUserService; private final ServicePkgClient servicePkgClient; @Qualifier("authExecutor") @Autowired @@ -135,20 +121,10 @@ public class TyrSaasAuthServiceImpl implements TyrSaasAuthService { private final WorkspaceProductService workspaceProductService; private final SaasFeatureResourceService saasFeatureResourceService; private final SaasPageElementFeatureResourceRelationService saasPageElementFeatureResourceRelationService; - private final SaasPgroupPermissionRelationService saasPgroupPermissionRelationService; private final FeatureCodeUtil featureCodeUtil; - private final SaasPgroupRoleRelationDao saasPgroupRoleRelationDao; private final RolePermissionCacheService rolePermissionCacheService; private final SaasRoleUserRelationMapper saasRoleUserRelationMapper; - @Value("${permission.from.db:true}") - private boolean PERMISSION_FROM_DB; - - @Override - public boolean permissionFromDB() { - return BooleanUtil.isTrue(PERMISSION_FROM_DB); - } - /** * 通过身份查询人员权限 * @@ -440,6 +416,8 @@ public class TyrSaasAuthServiceImpl implements TyrSaasAuthService { * 指定端的权限 */ private String terminal; + + private Set tags; } private Set checkFeatureCodes(ListPermissionUser param) { @@ -515,17 +493,7 @@ public class TyrSaasAuthServiceImpl implements TyrSaasAuthService { @Override public ListIdentityFromPermissionResp listIdentityFromPermission(ListIdentityFromPermissionReq req) { - - if (this.permissionFromDB()) { - return listIdentityFromPermissionFromDB(req); - } - - try { - return listIdentityFromPermissionResp(req); - } catch (Exception ex) { - log.error("查询权限异常,执行降级处理"); - return listIdentityFromPermissionFromDB(req); - } + return listIdentityFromPermissionResp(req); } private ListIdentityFromPermissionResp listIdentityFromPermissionResp(ListIdentityFromPermissionReq req) { @@ -535,6 +503,7 @@ public class TyrSaasAuthServiceImpl implements TyrSaasAuthService { .ouId(req.getOuId()) .workspaceId(req.getWorkspaceId()) .terminal(req.getTerminal()) + .tags(req.getTags()) .build(); List userVOS = listPermissionUser(listPermissionUser); @@ -550,18 +519,13 @@ public class TyrSaasAuthServiceImpl implements TyrSaasAuthService { return result; } - private List listAdminRole(ListPermissionUser req) { - //超管和管理员 - ListRoleReq listSaasRoleParam = ListRoleReq.builder() - .workspaceId(req.getWorkspaceId()) - .ouId(req.getOuId()) - .roleTypes(Lists.newArrayList(RoleTypeEnum.SUPER_ADMIN.getValue(), RoleTypeEnum.ADMIN.getValue())) - .build(); - return roleService.list(listSaasRoleParam); - } - private Set resolvePermissionAdminRole(List adminRoles, - List productPermissions) { + List productPermissions, + ListPermissionUser listPermissionUser) { + if (!CollectionUtils.isEmpty(listPermissionUser.getTags()) && !listPermissionUser.getTags().contains(RolePermissionTagEnum.JOINED)) { + return Collections.emptySet(); + } + Set cooperateTypes = productPermissions.stream() .map(ProductPermissionCacheService.PermissionDTO::getCooperateType) .collect(Collectors.toSet()); @@ -572,60 +536,53 @@ public class TyrSaasAuthServiceImpl implements TyrSaasAuthService { .collect(Collectors.toSet()); } - private Set resolvePermissionNormalRole(ListPermissionUser req, - List productPermissions, - Set featureIds) { + private Set resolvePermissionAdminLeaveRole(List adminRoles, + List productPermissions, + ListPermissionUser listPermissionUser, + Set featureIds) { - // 因为通过权限id找对应的角色数据量巨大,所以通过找项目的角色,再找有权限的角色比较快 - Set allRoleIds = saasRoleUserRelationMapper.listRoleIds(SaasRoleUserRelationMapper.ListRole.builder() - .ouId(req.getOuId()) - .workspaceId(req.getWorkspaceId()) - .build()); - if (CollectionUtils.isEmpty(allRoleIds)) { + if (CollectionUtil.isEmpty(adminRoles)) { + log.info("no admin roles"); return Collections.emptySet(); } - List normalRoles = roleService.list(ListRoleReq.builder() - .roleIds(Lists.newArrayList(allRoleIds)) - .roleTypes(RoleTypeEnum.listNormal()) - .build()); - - if (CollectionUtils.isEmpty(normalRoles)) { + // 因为tag != LEAVE的权限,管理员的权限直接是产品匹配的权限 + if (CollectionUtils.isEmpty(listPermissionUser.getTags()) || !listPermissionUser.getTags().contains(RolePermissionTagEnum.LEAVE)) { return Collections.emptySet(); } RolePermissionCacheService.ListRolePermissionParam listRolePermissionParam = RolePermissionCacheService.ListRolePermissionParam.builder() - .roleIds(normalRoles.stream().map(SaasRoleRes::getId).collect(Collectors.toSet())) + .roleIds(adminRoles.stream().map(SaasRoleRes::getId).collect(Collectors.toSet())) .featureCodes(productPermissions.stream() .map(ProductPermissionCacheService.PermissionDTO::getFeatureCode) .collect(Collectors.toSet())) .build(); - Map> normalRolePermissionMap = rolePermissionCacheService.list(listRolePermissionParam); + Map> adminRolePermissionMap = rolePermissionCacheService.list(listRolePermissionParam); - Set normalRoleIds = normalRolePermissionMap.entrySet().stream() + Set adminRoleIds = adminRolePermissionMap.entrySet().stream() .filter(e -> !CollectionUtils.isEmpty(e.getValue())) .filter(e -> e.getValue().stream().anyMatch(p -> featureIds.contains(p.getFeatureId()))) - .filter(e -> StringUtils.isBlank(req.getTerminal()) - || e.getValue().stream().anyMatch(p -> Objects.equals(p.getTerminal(), req.getTerminal()))) + .filter(e -> StringUtils.isBlank(listPermissionUser.getTerminal()) + || e.getValue().stream().anyMatch(p -> Objects.equals(p.getTerminal(), listPermissionUser.getTerminal()))) .map(Map.Entry::getKey) .collect(Collectors.toSet()); - Map normalRoleMap = normalRoles.stream() - .filter(e -> normalRoleIds.contains(e.getId())) + Map adminRoleMap = adminRoles.stream() + .filter(e -> adminRoleIds.contains(e.getId())) .collect(Collectors.toMap(SaasRoleRes::getId, Function.identity())); Map> featureCodeCooperateTypeMap = productPermissions.stream() .collect(Collectors.groupingBy(ProductPermissionCacheService.PermissionDTO::getFeatureCode, Collectors.mapping(ProductPermissionCacheService.PermissionDTO::getCooperateType, Collectors.toSet()))); - return normalRolePermissionMap.entrySet().stream() + return adminRolePermissionMap.entrySet().stream() .filter(e -> { - SaasRoleRes saasRoleRes = normalRoleMap.get(e.getKey()); + SaasRoleRes saasRoleRes = adminRoleMap.get(e.getKey()); if (Objects.isNull(saasRoleRes)) { return false; } return e.getValue().stream() - .filter(f -> StringUtils.isBlank(req.getTerminal()) - || e.getValue().stream().anyMatch(p -> Objects.equals(p.getTerminal(), req.getTerminal()))) + .filter(f -> StringUtils.isBlank(listPermissionUser.getTerminal()) + || e.getValue().stream().anyMatch(p -> Objects.equals(p.getTerminal(), listPermissionUser.getTerminal()))) .anyMatch(f -> { Set productCooperateTypes = featureCodeCooperateTypeMap.get(f.getFeatureCode()); if (CollectionUtils.isEmpty(productCooperateTypes)) { @@ -638,19 +595,89 @@ public class TyrSaasAuthServiceImpl implements TyrSaasAuthService { .collect(Collectors.toSet()); } + private Set resolvePermissionNormalRole(List allRoles, + ListPermissionUser req, + List productPermissions, + Set featureIds) { + + List normalRoles = allRoles.stream() + .filter(e -> !RoleTypeEnum.isAdmin(e.getRoleType())) + .collect(Collectors.toList()); + + if (CollectionUtils.isEmpty(normalRoles)) { + return Collections.emptySet(); + } + + Map normalRoleMap = normalRoles.stream() + .collect(Collectors.toMap(SaasRoleRes::getId, Function.identity())); + + Map> featureCodeCooperateTypeMap = productPermissions.stream() + .collect(Collectors.groupingBy(ProductPermissionCacheService.PermissionDTO::getFeatureCode, + Collectors.mapping(ProductPermissionCacheService.PermissionDTO::getCooperateType, Collectors.toSet()))); + + RolePermissionCacheService.ListRolePermissionParam listRolePermissionParam = RolePermissionCacheService.ListRolePermissionParam.builder() + .roleIds(normalRoles.stream().map(SaasRoleRes::getId).collect(Collectors.toSet())) + .featureCodes(productPermissions.stream() + .map(ProductPermissionCacheService.PermissionDTO::getFeatureCode) + .collect(Collectors.toSet())) + .build(); + Map> normalRolePermissionMap = rolePermissionCacheService.list(listRolePermissionParam); + + return normalRolePermissionMap.entrySet().stream() + .filter(e -> !CollectionUtils.isEmpty(e.getValue())) + .filter(e -> e.getValue().stream().anyMatch(p -> featureIds.contains(p.getFeatureId()))) + .filter(e -> StringUtils.isBlank(req.getTerminal()) + || e.getValue().stream().anyMatch(p -> Objects.equals(p.getTerminal(), req.getTerminal()))) + .filter(e -> e.getValue().stream() + .anyMatch(f -> { + SaasRoleRes saasRoleRes = normalRoleMap.get(e.getKey()); + if (Objects.isNull(saasRoleRes)) { + return false; + } + + Set productCooperateTypes = featureCodeCooperateTypeMap.get(f.getFeatureCode()); + if (CollectionUtils.isEmpty(productCooperateTypes)) { + return false; + } + return productCooperateTypes.contains(String.valueOf(saasRoleRes.getProductUnitType())); + })) + .map(Map.Entry::getKey) + .collect(Collectors.toSet()); + } + private List getWorkspaceUserV2(ListPermissionUser req, List productPermissions, Set featureIds) { - //超管和管理员 - List adminRoles = listAdminRole(req); + // 因为通过权限id找对应的角色数据量巨大,所以通过找项目的角色,再找有权限的角色比较快 + Set allRoleIds = saasRoleUserRelationMapper.listRoleIds(SaasRoleUserRelationMapper.ListRole.builder() + .ouId(req.getOuId()) + .workspaceId(req.getWorkspaceId()) + .build()); + if (CollectionUtils.isEmpty(allRoleIds)) { + return Collections.emptyList(); + } - Set adminPermissionRoleIds = resolvePermissionAdminRole(adminRoles, productPermissions); - Set normalPermissionRoleIds = resolvePermissionNormalRole(req, productPermissions, featureIds); + List allRoles = roleService.list(ListRoleReq.builder() + .roleIds(Lists.newArrayList(allRoleIds)) + .build()); + if (CollectionUtils.isEmpty(allRoles)) { + return Collections.emptyList(); + } + + //超管和管理员 + List adminRoles = allRoles.stream() + .filter(e -> RoleTypeEnum.isAdmin(e.getRoleType())) + .collect(Collectors.toList()); + + Set adminPermissionRoleIds = resolvePermissionAdminRole(adminRoles, productPermissions, req); + Set normalPermissionRoleIds = resolvePermissionNormalRole(allRoles, req, productPermissions, featureIds); + Set adminLeavePermissionRoleIds = resolvePermissionAdminLeaveRole(adminRoles, productPermissions, req, featureIds); Set roleIds = Sets.newHashSet(); roleIds.addAll(adminPermissionRoleIds); roleIds.addAll(normalPermissionRoleIds); + roleIds.addAll(adminLeavePermissionRoleIds); if (CollectionUtil.isEmpty(roleIds)) { log.warn("no role matched product unit types"); @@ -818,7 +845,7 @@ public class TyrSaasAuthServiceImpl implements TyrSaasAuthService { * @param filterRoleAuths * @return KEY :role Id ; VALUE: feature id ; */ - public Map> filterAuthByRoleAndProduct(List filterRoleAuths) { + private Map> filterAuthByRoleAndProduct(List filterRoleAuths) { Set roleIds = filterRoleAuths.stream().map(FilterRoleAuth::getRoleId).collect(Collectors.toSet()); ListRoleReq listSaasRoleParam = ListRoleReq.builder() @@ -904,170 +931,33 @@ public class TyrSaasAuthServiceImpl implements TyrSaasAuthService { @Override public List listWorkspacePermissionIdentity(WorkspacePermissionIdentityReq req) { - if (this.permissionFromDB()) { - return listWorkspacePermissionIdentityFromDB(req); + Set newFeatureCodes = featureCodeUtil.resolveFeatureCode(Sets.newHashSet(req.getFeatureCodes())); + + Set featureCodes = Sets.newHashSet(req.getFeatureCodes()); + featureCodes.addAll(newFeatureCodes); + + ListPermissionUser listPermissionUser = ListPermissionUser.builder() + .featureCodes(featureCodes) + .workspaceId(req.getWorkspaceId()) + .tags(req.getTags()) + .build(); + List users = listPermissionUser(listPermissionUser); + + if (CollectionUtil.isEmpty(users)) { + return Collections.emptyList(); } - - try { - Set newFeatureCodes = featureCodeUtil.resolveFeatureCode(Sets.newHashSet(req.getFeatureCodes())); - - Set featureCodes = Sets.newHashSet(req.getFeatureCodes()); - featureCodes.addAll(newFeatureCodes); - - ListPermissionUser listPermissionUser = ListPermissionUser.builder() - .featureCodes(featureCodes) + //按ou分组返回 + List result = new ArrayList<>(); + Map> userMap = users.stream() + .collect(Collectors.groupingBy(ListIdentityFromPermissionResp.UserVO::getOuId)); + for (Map.Entry> entry : userMap.entrySet()) { + result.add(ListIdentityFromPermissionResp.builder() .workspaceId(req.getWorkspaceId()) - .build(); - List users = listPermissionUser(listPermissionUser); - - if (CollectionUtil.isEmpty(users)) { - return Collections.emptyList(); - } - //按ou分组返回 - List result = new ArrayList<>(); - Map> userMap = users.stream() - .collect(Collectors.groupingBy(ListIdentityFromPermissionResp.UserVO::getOuId)); - for (Map.Entry> entry : userMap.entrySet()) { - result.add(ListIdentityFromPermissionResp.builder() - .workspaceId(req.getWorkspaceId()) - .ouId(entry.getKey()) - .users(entry.getValue()) - .build()); - } - return result; - } catch (Exception ex) { - log.error("查询权限异常,执行降级处理"); - return listWorkspacePermissionIdentityFromDB(req); + .ouId(entry.getKey()) + .users(entry.getValue()) + .build()); } - } - - private List listFeatureRoles(Set featureIds, Integer type) { - if (CollectionUtils.isEmpty(featureIds)) { - return Collections.emptyList(); - } - - List relations = saasPgroupPermissionRelationService.list(PagePgroupPermissionRelationReq.builder() - .featureIds(Lists.newArrayList(featureIds)) - .type(type) - .build()); - if (CollectionUtils.isEmpty(relations)) { - return Collections.emptyList(); - } - - List saasPgroupRoleRelations = saasPgroupRoleRelationDao.listByGroupIds(Lists.transform(relations, SaasPgroupPermissionRelation::getGroupId)); - - if (CollectionUtils.isEmpty(saasPgroupRoleRelations)) { - return Collections.emptyList(); - } - - return roleService.list(ListRoleReq.builder() - .roleIds(Lists.transform(saasPgroupRoleRelations, SaasPgroupRoleRelation::getRoleId)) - .build()) - .stream() - .map(e -> { - SaasRole saasRole = new SaasRole(); - BeanUtils.copyProperties(e, saasRole); - return saasRole; - }) - .collect(Collectors.toList()); - } - - private List getWorkspaceUser(Long workspaceId, Long ouId, - List workspaceProducts) { - Set newProductTypes = workspaceProducts.stream() - .filter(e -> Objects.equals(e.getType(), NEW_FEATURE)) - .map(SaasProductModuleFeatureRelation::getDictCode) - .map(Integer::valueOf) - .collect(Collectors.toSet()); - - Set newMatchedFeatureIds = workspaceProducts.stream() - .filter(e -> Objects.equals(e.getType(), NEW_FEATURE)) - .map(SaasProductModuleFeatureRelation::getFeatureId) - .collect(Collectors.toSet()); - - Set oldProductTypes = workspaceProducts.stream() - .filter(e -> Objects.equals(e.getType(), OLD_FEATURE)) - .map(SaasProductModuleFeatureRelation::getDictCode) - .map(Integer::valueOf) - .collect(Collectors.toSet()); - - Set oldMatchedFeatureIds = workspaceProducts.stream() - .filter(e -> Objects.equals(e.getType(), OLD_FEATURE)) - .map(SaasProductModuleFeatureRelation::getFeatureId) - .collect(Collectors.toSet()); - - //超管和管理员 - List adminRoles = roleService.listAdmins(workspaceId, ouId); - if (CollectionUtil.isEmpty(adminRoles)) { - log.warn("no admin roles found for workspaceId:{}, ouId:{}", workspaceId, ouId); - } - - Set superAdmins = adminRoles.stream() - .filter(r -> RoleTypeEnum.SUPER_ADMIN.getValue().equals(r.getRoleType())) - .map(SaasRole::getId) - .collect(Collectors.toSet()); - - //普通角色 权限点查角色 -- 不考虑 角色权限集例外 - // 多版本只会存在一段时间,减少代码复杂度,所以查询多次 - List oldNormalSaasRoles = listFeatureRoles(oldMatchedFeatureIds, OLD_FEATURE); - List newNormalSaasRoles = listFeatureRoles(newMatchedFeatureIds, NEW_FEATURE); - - List roleIds = Lists.newArrayList(); - // 超管不用区分新老版本 - List adminRoleIds = adminRoles.stream() - .filter(r -> newProductTypes.contains(r.getProductUnitType()) || oldProductTypes.contains(r.getProductUnitType())) - .map(SaasRole::getId) - .collect(Collectors.toList()); - - List oldNormalRoleIds = oldNormalSaasRoles.stream() - .filter(r -> oldProductTypes.contains(r.getProductUnitType())) - .map(SaasRole::getId) - .collect(Collectors.toList()); - - List newNormalRoleIds = newNormalSaasRoles.stream() - .filter(r -> newProductTypes.contains(r.getProductUnitType())) - .map(SaasRole::getId) - .collect(Collectors.toList()); - - //匹配角色和产品标签 - roleIds.addAll(adminRoleIds); - roleIds.addAll(oldNormalRoleIds); - roleIds.addAll(newNormalRoleIds); - - if (CollectionUtil.isEmpty(roleIds)) { - log.warn("no role matched product unit types"); - return Collections.emptyList(); - } - - //角色查人 - List relations = roleUserService.listByRoleIds(roleIds, ouId, workspaceId); - if (CollectionUtil.isEmpty(relations)) { - log.warn("no user role relation found. roleIds:{}, ouId:{} workspaceId:{}", roleIds, ouId, workspaceId); - return Collections.emptyList(); - } - - //ouId -> resp : ou-identityId-identityType维度去重 - Map distinctMap = new HashMap<>(); - //组装去重 - for (SaasRoleUserRelation relation : relations) { - String key = KeyUtil.buildKeyBySeparator(relation.getOuId(), relation.getIdentityId(), relation.getIdentityType()); - ListIdentityFromPermissionResp.UserVO user = distinctMap.get(key); - if (user == null) { - user = ListIdentityFromPermissionResp.UserVO.builder() - .ouId(relation.getOuId()) - .identityId(relation.getIdentityId()) - .identityType(relation.getIdentityType()) - .personalId(relation.getNaturalPersonId()) - .build(); - } - if (superAdmins.contains(relation.getRoleId())) { - //超管 - user.setSuperAdmin(true); - } - distinctMap.put(key, user); - } - - return new ArrayList<>(distinctMap.values()); + return result; } private List mockRoleUserRelationV2(IdentityAuthReq identityAuthReq) { @@ -1527,180 +1417,4 @@ public class TyrSaasAuthServiceImpl implements TyrSaasAuthService { */ private Integer type; } - - private List listOldFeatures(Set featureWrappers) { - Set featureIds = featureWrappers.stream() - .filter(e -> Objects.equals(e.getType(), OLD_FEATURE)) - .map(FeatureWrapper::getFeatureId) - .collect(Collectors.toSet()); - - if (CollectionUtils.isEmpty(featureIds)) { - return Collections.emptyList(); - } - - return permissionPointService.listPermissionByIds( - QueryPermissionByIdsReq.builder() - .ids(featureIds) - .includeParent(true) - .build()); - } - - public ListIdentityFromPermissionResp listIdentityFromPermissionFromDB(ListIdentityFromPermissionReq req) { - ListIdentityFromPermissionResp result = new ListIdentityFromPermissionResp(); - result.setOuId(req.getOuId()); - result.setWorkspaceId(req.getWorkspaceId()); - - Set newFeatureCodes = featureCodeUtil.resolveFeatureCode(Sets.newHashSet(req.getFeatureCode())); - - //code查询权限点信息 - List features = permissionPointService.listNodeWithChildrenByCodes(Lists.newArrayList(newFeatureCodes), req.getTerminal()); - - // 兼容新老版本,需要通过featureCode查询新版本的features,原逻辑是查询当前菜单资源的所有子数据 - ListSaasFeatureResourceParam listSaasFeatureResourceParam = ListSaasFeatureResourceParam.builder() - .featureCodes(newFeatureCodes) - .terminal(req.getTerminal()) - .build(); - List saasFeatureResources = listSaasFeatureResource(listSaasFeatureResourceParam); - - if (CollectionUtil.isEmpty(features) && CollectionUtils.isEmpty(saasFeatureResources)) { - log.warn("no features data found for:{}", req.getFeatureCode()); - return result; - } - //是否免授权权限点 - Optional freeFeature = features.stream() - .filter(f -> DelegatedType.NO_NEED.sameCode(f.getDelegatedType())) - .findAny(); - - Optional freeFeatureResource = saasFeatureResources.stream() - .filter(e -> SaasFeatureResource.AuthType.isAllRole(e.getAuthType())) - .findFirst(); - - if (freeFeature.isPresent() || freeFeatureResource.isPresent()) { - log.warn("free feature found : featureId:{}, featureResourceId:{}", - freeFeature.map(SaasFeature::getId).orElse(null), - freeFeatureResource.map(SaasFeatureResourceResp::getId).orElse(null)); - throw new ServiceException("不能查询免授权权限点人员"); - } - - Set featureIds = features.stream().map(SaasFeature::getId).collect(Collectors.toSet()); - Set newFeatureIds = saasFeatureResources.stream().map(SaasFeatureResourceResp::getId).collect(Collectors.toSet()); - - List featureIdPairs = Lists.newArrayList(); - if (!CollectionUtils.isEmpty(featureIds)) { - featureIdPairs.add(FeatureIdPair.builder().featureIds(featureIds).type(OLD_FEATURE).build()); - } - - if (!CollectionUtils.isEmpty(newFeatureIds)) { - featureIdPairs.add(FeatureIdPair.builder().featureIds(newFeatureIds).type(NEW_FEATURE).build()); - } - WorkspaceProductService.WorkspaceProductParam workspaceProductParam = WorkspaceProductService.WorkspaceProductParam.builder() - .workspaceIds(Sets.newHashSet(req.getWorkspaceId())) - .featureIdPairs(featureIdPairs) - .build(); - List workspaceProducts = workspaceProductService.listWorkspaceProduct(workspaceProductParam) - .stream() - .map(WorkspaceProductService.WorkspaceProduct::getSaasProductModuleFeatureRelations) - .filter(Objects::nonNull) - .flatMap(Collection::stream) - .collect(Collectors.toList()); - - if (CollectionUtil.isEmpty(workspaceProducts)) { - log.warn("no matched product feature in workspace"); - return result; - } - - List matchedUsers = getWorkspaceUser(req.getWorkspaceId(), req.getOuId(), workspaceProducts); - if (CollectionUtil.isEmpty(matchedUsers)) { - return result; - } - result.setUsers(matchedUsers); - return result; - } - - public List listWorkspacePermissionIdentityFromDB(WorkspacePermissionIdentityReq req) { - - Set newFeatureCodes = featureCodeUtil.resolveFeatureCode(Sets.newHashSet(req.getFeatureCodes())); - req.setFeatureCodes(Lists.newArrayList(newFeatureCodes)); - - //code查询权限点信息 - List features = permissionPointService.listNodeWithChildrenByCodes(req.getFeatureCodes(), null); - - // 兼容新老版本,需要通过featureCode查询新版本的features,原逻辑是查询当前菜单资源的所有子数据 - ListSaasFeatureResourceParam listSaasFeatureResourceParam = ListSaasFeatureResourceParam.builder() - .featureCodes(Sets.newHashSet(req.getFeatureCodes())) - .build(); - List saasFeatureResources = listSaasFeatureResource(listSaasFeatureResourceParam); - - if (CollectionUtil.isEmpty(features) && CollectionUtils.isEmpty(saasFeatureResources)) { - log.warn("no features data found for:{}", req.getFeatureCodes()); - return Collections.emptyList(); - } - Set featureIds = features.stream().map(SaasFeature::getId).collect(Collectors.toSet()); - Set newFeatureIds = saasFeatureResources.stream().map(SaasFeatureResourceResp::getId).collect(Collectors.toSet()); - List featureIdPairs = Lists.newArrayList(); - - if (!CollectionUtils.isEmpty(featureIds)) { - featureIdPairs.add(FeatureIdPair.builder().featureIds(featureIds).type(OLD_FEATURE).build()); - } - - if (!CollectionUtils.isEmpty(newFeatureIds)) { - featureIdPairs.add(FeatureIdPair.builder().featureIds(newFeatureIds).type(NEW_FEATURE).build()); - } - WorkspaceProductService.WorkspaceProductParam workspaceProductParam = WorkspaceProductService.WorkspaceProductParam.builder() - .workspaceIds(Sets.newHashSet(req.getWorkspaceId())) - .featureIdPairs(featureIdPairs) - .build(); - List workspaceProducts = workspaceProductService.listWorkspaceProduct(workspaceProductParam) - .stream() - .map(WorkspaceProductService.WorkspaceProduct::getSaasProductModuleFeatureRelations) - .filter(Objects::nonNull) - .flatMap(Collection::stream) - .collect(Collectors.toList()); - - if (CollectionUtil.isEmpty(workspaceProducts)) { - log.warn("no matched feature in workspace product"); - return Collections.emptyList(); - } - - //是否免授权权限点 - Set matchedOldFeatureIds = workspaceProducts.stream() - .filter(e -> Objects.equals(OLD_FEATURE, e.getType())) - .map(SaasProductModuleFeatureRelation::getFeatureId) - .collect(Collectors.toSet()); - Optional freeFeature = features.stream() - .filter(f -> matchedOldFeatureIds.contains(f.getId())) - .filter(f -> DelegatedType.NO_NEED.sameCode(f.getDelegatedType())) - .findAny(); - - Set matchedNewFeatureIds = workspaceProducts.stream() - .filter(e -> Objects.equals(NEW_FEATURE, e.getType())) - .map(SaasProductModuleFeatureRelation::getFeatureId) - .collect(Collectors.toSet()); - - Optional freeFeatureResource = saasFeatureResources.stream() - .filter(f -> matchedNewFeatureIds.contains(f.getId())) - .filter(e -> SaasFeatureResource.AuthType.isAllRole(e.getAuthType())) - .findFirst(); - if (freeFeature.isPresent() || freeFeatureResource.isPresent()) { - throw new ServiceException("免授权权限点调用查人接口"); - } - - //从相关角色查询用户-超管和普通角色 - List users = getWorkspaceUser(req.getWorkspaceId(), null, workspaceProducts); - if (CollectionUtil.isEmpty(users)) { - return Collections.emptyList(); - } - //按ou分组返回 - List result = new ArrayList<>(); - Map> userMap = users.stream() - .collect(Collectors.groupingBy(ListIdentityFromPermissionResp.UserVO::getOuId)); - for (Map.Entry> entry : userMap.entrySet()) { - result.add(ListIdentityFromPermissionResp.builder() - .workspaceId(req.getWorkspaceId()) - .ouId(entry.getKey()) - .users(entry.getValue()) - .build()); - } - return result; - } }